Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 9067 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Total Traffice

AreshAreshi

Hi,

I have a question regarding the info that we see for the network usage in the dashbord.

When click for example on the external NIC then I can see all the connection and when click for example on the unclaasified application I can see some connections to the external NIC of the Sophos and port and the Bandwidth usage. my question is for the Totaal network traffice, the number that we see is based on what? is it on the flay? or it shows data from last 5 minute to the point that we click on it?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    As far as I understand the total traffic based on the open connections you see in this tab.

    For example: you choose the WAN IF, and there are three open connections for HTTP. Each connection has 1 MB traffic since the connection was established. That means the total traffic will show 3 MB of HTTP traffic. If one of this three connections will be closed because the session has expired, you will see the remaining two sessions and a total HTTP traffic of 2 MB.


    Jas Man

Reply
  • 0

    Hi,

    As far as I understand the total traffic based on the open connections you see in this tab.

    For example: you choose the WAN IF, and there are three open connections for HTTP. Each connection has 1 MB traffic since the connection was established. That means the total traffic will show 3 MB of HTTP traffic. If one of this three connections will be closed because the session has expired, you will see the remaining two sessions and a total HTTP traffic of 2 MB.


    Jas Man

Children
  • 0 in reply to Jas Man

    Hi Jas,

    Thanks for your reply and info,

    If I understand you correctly, the info that we see for the Total Traffice for a port number lik 6598 is from the moment that: a client from internet is connected to the external IF and we cannot say from what time! correct?


    Also until now I tought that unclassified means a port number that no known application using that port, for exmaple when connecting to the RDP to a server that using a non defualt port like 6598 then net flow monitor shows the port numebr 6568 as unclassified, but when I look in the unclassified there I can see alots of port 80. any idea what this means? or my understaing of the unclassified is not correct?

    Thanks

  • 0 in reply to AreshAreshi

    Hi,

    you not only see connections from the Internet to the LAN in the FlowMonitor. You also see connections from clients in the LAN to the Internet. It depends on what stands under "Server". If it shows your WAN IP or the name of your WAN interface, it's a connection from outside. If you see a external address like "bos-m029a-rdr1.blue.icq.net", it's a connection from a client to the Internet. It also depends on which interface you choose for monitoring. If you choose the LAN interface, you will not see any connections to your WAN address of course.

    The shown port is always the destination port.

    The total traffic is based on the lifetime of this connection. So you are right, you can't say in which time the total traffic was generated.

    I think "Unclassified traffic" is traffic, which could be not classified by the UTM. In your case it's non-HTTP traffic, which runs over port 80. But I'm not sure in this point.

    Jas Man

  • 0 in reply to Jas Man

    Hi Jas,

    Thank you for your detailed info,

    Is it possible to trace to whitch server the unclaasified connection goes? I mean from the flow monitor of the WAN IF I can see a connection in unclaasified that come from one of the public IPs of the Sophos that use port 80. can we trace where this connection goes?

    Thanks

  • 0 in reply to AreshAreshi

    Hi,

    the flow monitor shows the destination, not the source address. That means someone from extern access port 80 of your UTM, or something behind it if port forwarding is enabled (e.g. for a web server in the LAN). You should see the start of this session and the source address in the firewall log, if logging is enabled for this rule.

    You can also take a look under "Support" -> "Advanced" -> "LAN connetions". Search for [PUBLIC IP OF UTM]:80. (STRG+F).

    Jas Man

Unfiltered HTML